Step 2 – Confirm administrator details

I checked all existing accounts using PHPmyAdmin which allows me to check/modify database entries.

There were no new accounts and existing account info was correct.

If you need to do this, chances are you’ll have PHPmyAdmin but exactly how you access it will vary depending on your web host.

They should have some documentation on this.

Step 3 – Get the pro’s in to help

I did some quick research to see who could help me with this problem and I saw a lot of good things about the team at Sucuri.

I’d used their free malware scanner in the past and I follow their blog because they do a great job at finding plugin vulnerabilities.

Sucuri offer straight forward annual plans so I purchased a plan which set me back $299.99/year.

Which includes (but isn’t limited to):

Unlimited malware clean up

Website blacklist removal

Malware detection for unlimited pages

Firewall & CDN for added security + speed

$299.99 seems a lot considering how rare it is for this to happen but I feel it’s worth it to ensure my site is kept safe.

It would be nice if I could have got this resolved for free but it’s not worth taking any chances.

Step 4 – Submit malware removal request

To get the ball rolling, I submitted my malware removal request along with FTP details.

It took till Sunday morning for Sucuri to get to my ticket due to heavy workload at the weekend.

Once one of the Sucuri team started work, my site was cleaned up within 30 minutes.

They also hardened the security for some of my blog’s directories.

Step 5 – My host flicks the switch back on

Now the site had been cleaned I was able to ask my host to switch my sites on.

They ran another anti-virus scan to confirm my sites were clean and then switched everything on again.

Within 30 minutes everything was working as it should be.

This is why I love hosting my sites with WPX Hosting – they respond to email support tickets fast.

Most tend to be within 20 minutes.

Which is amazing in comparison to other hosts I’ve used. Most of them don’t respond to support tickets for 1-2 days.

Note

Since first publishing this post in 2014, WPX Hosting has rolled out free malware clean ups. If you host your site with them, they’ll remove malware at no extra cost. Pretty amazing. They also have enterprise level DDoS protection from Incapsula on their servers.

Important next steps

Even though the infected site was cleaned and all sites on the server were checked, there were steps I still needed to take.

Step 6 – Update passwords

I set about changing passwords including:

Hosting

WordPress admin

Database

FTP

This also required me to update the wp-config.php file on each site to make sure my sites kept working after FTP and database details were changed.

Step 7 – Activate server side scanning

One of the other helpful features that comes with a Sucuri plan is the server side scanning.

It’s similar to their regular website monitor but it can scan much deeper making it far more accurate.

Due to my websites being disabled, I had to wait until everything was working so I could activate this.

I was able to upload a file to each of my domains, click enable and we were ready to go.

Step 8 – Run backups

My web host takes regular backups but one thing I’ve learned over the years is that you need multiple redundancies.

I use BackupBuddy for this, it’s a paid plugin but there are plenty of other great alternatives like BackWPup which you can use for free. This post has more details on alternatives and the features of both BackupBuddy and BackWPup.

Step 9 – Update WordPress, themes and plugins

Now that I had my sites backed up, it was time to start updating themes, plugins and the WordPress core files for each site.

This is just a security precaution but it’s important to do just in case.

There have been times when I’ve updated plugins and sites have collapsed.

This is why taking regular backups is so important – it’s rare but you should never take the chance.

Fortunately updates didn’t cause any issues.

Additional resources

Now that I’ve got Sucuri monitoring setup and access to their team, I can rest easier but the truth is that there are always other ways to improve WordPress security.

Sucuri have a tool called SiteCheck which is a free malware scanner, it’s not as good as the server side scanner you get with the paid plan but it’s great for a free tool.

Over to you

Security matters.

You don’t have to be an expert, there are plenty of resources like those listed above which you can use to secure your blog and rest easier.

Nothing will ever be 100% secure but you need to be as prepared as possible. If anything happens there are great folks that do this work freelance or the awesome teams at companies like Sucuri who you can go to.